Cisco Patches Eight IOS Security Flaws

Cisco recently patched eight vulnerabilities in its IOS operating system, as well as a single vulnerability in the Cisco Unified Communications Manager (UCM).

"That flaw is a DoS bug in the SIP (session initiation protocol) implementation in UCM," writes Threatpost's Dennis Fisher. "SIP is used in a variety of products to help set up voice and video calls on IP networks. 'A vulnerability exists in the SIP implementation in Cisco Unified Communications Manager that could allow a remote attacker to cause a critical service to fail, which could interrupt voice services. This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message. Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector,' Cisco said in its advisory."

"According to the company, the Session Initiation Protocol (SIP) implementation in its IOS Software and its IOS XE Software has a bug that could enable a remote attacker to cause a device to reload, assuming that the devices are configured to process SIP messages and for pass-through of Session Description Protocol (SDP)," writes CRN's Ken Presti. "'This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message,' the advisory reports. 'Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector. SDP pass-through must be enabled, either at the global level, or at the dial-peer level, for a device to be affected by this vulnerability.'"

"The release comes six months after the company's last IOS update and is part of a regularly-scheduled twice yearly patch release for the platform," writes V3.co.uk's Shaun Nichols. "Cisco's release comes just days after Microsoft pushed out an out-of-band security update which users and administrators of Windows XP systems have been urged to install. The patch addresses a security vulnerability in Internet Explorer which has been targeted for use in drive-by malware attacks."